| ▲ | n_e 4 hours ago | |||||||
> Yes, you can lock deps in NPM/Cargo/etc. but that's not the default. It is the default in Go. How is it not the default in npm? | ||||||||
| ▲ | chuckadams 3 hours ago | parent [-] | |||||||
It is the default in both cargo and npm, but "npm install" stupidly enough still updates the lockfile, and you need "npm ci" to actually respect it. I think there's some flag to make install work sanely, but long-term I find the best approach is to use anything other than npm. I ditched npm for yarn years ago because it had saner dependency resolution (npm's peer dependency algorithm was a constantly moving target), and now I've switched from yarn to bun because it doesn't run hooks in dependencies by default. It also helps that it installs dependencies 10x faster. | ||||||||
| ||||||||